I have just implemented LAPS in my environment and obviously want to take advantage of that by using the LAPS managed local administrator user to deploy and scan with.
My problem is i get access denied to the $admin share while trying to do a scan of the computer that has LAPS enabled.
I have found out i can fix this by adding the following registry FilterAdministratorToken to 1 ( this however should not be necessary according to your documentation, since this computer is domain joined in a domain with a functional level of Windows Server 2012R2.
Now i have fixed the admin access denied problem, another problem arises when trying to do a scan, pdq service manager logon failure, this can be fixed by applying the local administrator account to the Log on as a service policy with gpedit.msc (however when i use my current setup, the account gets automatically added the first time you do a scan, so i find it weird that my LAPS local admin account does not get added when initiating a scan, seems some rights are missing. I am using a local administrator account that i have created called LAPSadmin - not the built in administrator and it seems its related to that?
EDIT: My current setup works with out any issues, using a domain account that is added to the local administrators group on all the machines, but want to move away from this due to PASS THE HASH attacks.
Please sign in to leave a comment.